import openssh-8.7p1-4.el9

This commit is contained in:
CentOS Sources 2021-12-07 14:05:02 -05:00 committed by Stepan Oksanichenko
parent ac08a66175
commit 437fc8d1ad
21 changed files with 452 additions and 621 deletions

2
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/gpgkey-736060BA.gpg
SOURCES/openssh-8.6p1.tar.gz
SOURCES/openssh-8.7p1.tar.gz
SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz

View File

@ -1,3 +1,3 @@
dbb35b4e9ae3f72b930a82c6fd5e83e9dcd7b193 SOURCES/gpgkey-736060BA.gpg
8f9f0c94317baeb97747d6258f3997b4542762c0 SOURCES/openssh-8.6p1.tar.gz
8719032c1e47732c8fdb14adfb24b5e9e71de802 SOURCES/openssh-8.7p1.tar.gz
66dd8274346fd006ff40f525c082cfb701085b5f SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz

View File

@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+ options->enable_k5users = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
#endif
if (options->use_kuserok == -1)
@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+ intptr = &options->enable_k5users;
+ goto parse_flag;
+
case sPermitListen:
case sPermitOpen:
if (opcode == sPermitListen) {
case sMatch:
if (cmdline)
fatal("Match directive not supported as a command-line "
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);

View File

@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
+ options->use_kuserok = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
if (options->gss_kex_algorithms == NULL)
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
@ -193,9 +193,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
sChallengeResponseAuthentication,
@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*inc_flags &= ~SSHCFG_MATCH_ONLY;
break;
}
break;
+ case sKerberosUseKuserok:
+ intptr = &options->use_kuserok;
+ goto parse_flag;
+
case sPermitListen:
case sPermitOpen:
if (opcode == sPermitListen) {
case sMatch:
if (cmdline)
fatal("Match directive not supported as a command-line "
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(client_alive_interval);
M_CP_INTOPT(ip_qos_interactive);

View File

@ -54,18 +54,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const
errstr = "invalid environment string";
goto fail;
}
- if ((cp = strdup(opt)) == NULL)
+ if ((cp = strdup(opt)) == NULL) {
+ free(opt);
goto alloc_fail;
+ }
cp[tmp - opt] = '\0'; /* truncate at '=' */
if (!valid_env_name(cp)) {
free(cp);
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
return r;
}
@ -133,13 +121,13 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
&hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint.");
freerrset(fingerprints);
&hostkey_digest, &hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint.");
freerrset(fingerprints);
+ free(dnskey_digest);
return -1;
}
}
return -1;
}
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@ -301,6 +289,36 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
int i;
if (sa == NULL) {
diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
static void
pselect_notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
pselect_notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2_f("reading");
FD_CLR(notify_pipe[0], readset);
}
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
@ -309,33 +327,29 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2);
+ free(arg2);
return -1;
goto out;
}
free(arg2);
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
@@ -157,7 +157,7 @@ killchild(int signo)
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
@@ -186,11 +186,11 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid, NULL, 0);
+ (void) waitpid(do_cmd_pid, NULL, 0);
}
if (do_cmd_pid2 > 1) {
kill(do_cmd_pid2, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid2, NULL, 0);
+ (void) waitpid(do_cmd_pid2, NULL, 0);
}
if (signo)
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
- arg = strdelim(&cp);
+ /*arg =*/ (void) strdelim(&cp);
break;
}
for (i = 0; i < options->num_subsystems; i++)
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
@ -348,37 +362,10 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
}
break;
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100
@@ -125,13 +125,13 @@ notify_setup(void)
static void
notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2_f("reading");
}
@@ -518,7 +518,7 @@ server_request_tun(void)
diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
debug_f("invalid tun");
goto done;
}
@ -434,6 +421,30 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
continue;
}
lname = ls_file(fname, g.gl_statv[i], 1,
diff --git a/sftp-client.c b/sftp-client.c
index 9de9afa20f..ea98d9f8d0 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -2195,6 +2195,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous,
(*nreqsp)--;
}
debug3_f("done: %u outstanding replies", *nreqsp);
+ sshbuf_free(msg);
}
int
diff --git a/sftp-server.c b/sftp-server.c
index 18d1949112..6380c4dd23 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1553,6 +1553,7 @@ process_extended_expand(u_int32_t id)
npath = xstrdup(path + 2);
free(path);
xasprintf(&path, "%s/%s", cwd, npath);
+ free(npath);
} else {
/* ~user expansions */
if (tilde_expand(path, pw->pw_uid, &npath) != 0) {
diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100

View File

@ -807,15 +807,6 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
--- openssh-8.6p1/auth.c.audit 2021-05-06 12:05:27.304463967 +0200
+++ openssh-8.6p1/auth.c 2021-05-06 12:05:27.378464540 +0200
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
- if (authenticated == 0 && !authctxt->postponed)
+ if (authenticated == 0 && !authctxt->postponed && !partial)
audit_event(ssh, audit_classify_auth(method));
#endif
}
@@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
record_failed_login(ssh, user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
@ -1204,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
- sigalg, ssh->compat, &sig_details);
debug3_f("%s %p signature %s%s%s", auth_method, key,
(ret == 0) ? "verified" : "unverified",
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key),
(ret == 0) ? "verified" : "unverified",
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
}
@ -2065,7 +2056,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
close_startup_pipes(void)
{
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
ssh_remote_port(the_active_state));
}
}
-/* Destroy the host and server keys. They will no longer be needed. */

View File

@ -504,15 +504,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
options->gss_authentication = 0;
if (options->gss_keyex == -1)
@@ -506,7 +509,8 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -593,11 +597,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },

View File

@ -15,7 +15,7 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
@@ -0,0 +1,21 @@
@@ -0,0 +1,15 @@
+# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration
+Match final all
@ -29,12 +29,6 @@ diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
+
+# Uncomment this if you want to use .local domain
+# Host *.local
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
@ -86,7 +80,7 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
@@ -0,0 +1,28 @@
@@ -0,0 +1,22 @@
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
+# this or following included files. To override some configuration option,
@ -109,9 +103,3 @@ diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+

View File

@ -18,7 +18,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
@@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# and KbdInteractiveAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
#UsePAM no

View File

@ -337,7 +337,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
port-linux.o \
port-prngd.o \
port-solaris.o \
port-net.o \
- port-uw.o

View File

@ -1,7 +1,7 @@
diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
--- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200
+++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200
@@ -368,15 +368,13 @@ or
diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
+++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
@@ -373,17 +373,13 @@ or
.Qq *.c.example.com
domains.
.It Cm CASignatureAlgorithms
@ -14,15 +14,17 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,ecdsa-sha2-nistp256,
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
.Xr ssh 1
will not accept host certificates signed using algorithms other than those
specified.
@@ -436,20 +434,25 @@ If the option is set to
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -445,20 +441,25 @@ If the option is set to
(the default),
the check will not be executed.
.It Cm Ciphers
@ -52,7 +54,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -465,13 +468,6 @@ aes256-gcm@openssh.com
@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.Ed
.Pp
@ -66,7 +68,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClearAllForwardings
@@ -826,6 +822,11 @@ command line will be passed untouched to
@@ -874,6 +868,11 @@ command line will be passed untouched to
The default is
.Dq no .
.It Cm GSSAPIKexAlgorithms
@ -78,7 +80,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
@@ -838,10 +839,8 @@ gss-nistp256-sha256-,
@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256-
.Ed
.Pp
@ -90,7 +92,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -1169,29 +1168,25 @@ it may be zero or more of:
@@ -1219,29 +1216,25 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
@ -129,7 +131,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1301,37 +1296,33 @@ function, and all code in the
@@ -1351,37 +1344,33 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
@ -176,7 +178,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
The default is
.Cm no .
.It Cm PubkeyAcceptedAlgorithms
@ -223,10 +225,10 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
--- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200
+++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200
@@ -373,15 +373,13 @@ If the argument is
diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200
+++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200
@@ -373,17 +373,13 @@ If the argument is
then no banner is displayed.
By default, no banner is displayed.
.It Cm CASignatureAlgorithms
@ -239,15 +241,17 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,ecdsa-sha2-nistp256,
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
.It Cm ChallengeResponseAuthentication
@@ -445,20 +443,25 @@ The default is
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -450,20 +446,25 @@ The default is
indicating not to
.Xr chroot 2 .
.It Cm Ciphers
@ -277,7 +281,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
.Pp
The supported ciphers are:
.Pp
@@ -485,13 +488,6 @@ aes256-gcm@openssh.com
@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.El
.Pp
@ -291,7 +295,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClientAliveCountMax
@@ -680,21 +676,22 @@ For this to work
@@ -685,21 +679,22 @@ For this to work
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms
@ -324,7 +328,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased
@@ -794,26 +791,13 @@ is specified, the location of the socket
@@ -799,26 +794,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
@ -356,7 +360,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
The default is
.Cm yes .
.It Cm KexAlgorithms
@ -386,7 +390,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
.El
.Pp
@ -402,7 +406,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1097,21 +1077,26 @@ function, and all code in the
@@ -1104,21 +1082,26 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
@ -433,7 +437,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
.Pp
The algorithms that contain
.Qq -etm
@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com
.El
.Pp
@ -449,7 +453,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1541,37 +1517,25 @@ or equivalent.)
@@ -1548,37 +1522,25 @@ or equivalent.)
The default is
.Cm yes .
.It Cm PubkeyAcceptedAlgorithms

View File

@ -19,11 +19,10 @@ index e7549470..b68c1710 100644
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
srclimit.o sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff --git a/auth.c b/auth.c
index 086b8ebb..687c57b4 100644
--- a/auth.c
+++ b/auth.c
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
diff -up a/auth.c.gsskex b/auth.c
--- a/auth.c.gsskex 2021-08-20 06:03:49.000000000 +0200
+++ b/auth.c 2021-08-27 12:41:51.262788953 +0200
@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
@ -33,18 +32,15 @@ index 086b8ebb..687c57b4 100644
return 1;
break;
case PERMIT_FORCED_ONLY:
@@ -724,99 +725,6 @@ fakepw(void)
return (&fake);
@@ -730,97 +731,6 @@ fakepw(void)
}
-/*
/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- * attacks on based on conflation of hostnames and IP addresses.
- */
-
-static char *
@ -130,9 +126,10 @@ index 086b8ebb..687c57b4 100644
- return xstrdup(name);
-}
-
/*
-/*
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
* several times.
diff --git a/auth2-gss.c b/auth2-gss.c
index 9351e042..d6446c0c 100644
--- a/auth2-gss.c
@ -2933,10 +2930,9 @@ index 23ab096a..485590c1 100644
#endif
#ifdef USE_PAM
diff --git a/readconf.c b/readconf.c
index f3cac6b3..da8022dd 100644
--- a/readconf.c
+++ b/readconf.c
diff -up a/readconf.c.gsskex b/readconf.c
--- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
+++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200
@@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
@ -2945,7 +2941,7 @@ index f3cac6b3..da8022dd 100644
/* Format of the configuration file:
@@ -160,6 +161,8 @@ typedef enum {
@@ -161,6 +162,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -2954,7 +2950,7 @@ index f3cac6b3..da8022dd 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct {
@@ -206,10 +209,22 @@ static struct {
/* Sometimes-unsupported options */
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@ -2977,7 +2973,7 @@ index f3cac6b3..da8022dd 100644
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
@@ -1029,10 +1044,42 @@ parse_time:
@@ -1113,10 +1128,42 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@ -3006,7 +3002,7 @@ index f3cac6b3..da8022dd 100644
+ goto parse_flag;
+
+ case oGssKexAlgorithms:
+ arg = strdelim(&s);
+ arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
@ -3020,9 +3016,9 @@ index f3cac6b3..da8022dd 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1911,7 +1958,13 @@ initialize_options(Options * options)
@@ -2306,7 +2353,13 @@ initialize_options(Options * options)
options->fwd_opts.streamlocal_bind_unlink = -1;
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
+ options->gss_keyex = -1;
options->gss_deleg_creds = -1;
@ -3034,8 +3030,8 @@ index f3cac6b3..da8022dd 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -2059,8 +2112,18 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
@@ -2463,8 +2516,18 @@ fill_default_options(Options * options)
options->pubkey_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
+ if (options->gss_keyex == -1)
@ -3053,7 +3049,7 @@ index f3cac6b3..da8022dd 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host)
@@ -3246,7 +3309,14 @@ dump_client_config(Options *o, const cha
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@ -3068,13 +3064,12 @@ index f3cac6b3..da8022dd 100644
#endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
diff --git a/readconf.h b/readconf.h
index feedb3d2..a8a8870d 100644
--- a/readconf.h
+++ b/readconf.h
@@ -41,7 +41,13 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
diff -up a/readconf.h.gsskex b/readconf.h
--- a/readconf.h.gsskex 2021-08-27 12:05:29.248142431 +0200
+++ b/readconf.h 2021-08-27 12:22:19.270679852 +0200
@@ -39,7 +39,13 @@ typedef struct {
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
int hostbased_authentication; /* ssh2's rhosts_rsa */
int gss_authentication; /* Try GSS authentication */
+ int gss_keyex; /* Try GSS key exchange */
int gss_deleg_creds; /* Delegate GSS credentials */
@ -3086,11 +3081,10 @@ index feedb3d2..a8a8870d 100644
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c
index 70f5f73f..191575a1 100644
--- a/servconf.c
+++ b/servconf.c
@@ -69,6 +69,7 @@
diff -up a/servconf.c.gsskex b/servconf.c
--- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
+++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200
@@ -70,6 +70,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
@ -3098,7 +3092,7 @@ index 70f5f73f..191575a1 100644
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options)
@@ -136,8 +137,11 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@ -3109,8 +3103,8 @@ index 70f5f73f..191575a1 100644
+ options->gss_kex_algorithms = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options)
options->permit_empty_passwd = -1;
@@ -356,10 +360,18 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -3129,7 +3123,7 @@ index 70f5f73f..191575a1 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -531,6 +543,7 @@ typedef enum {
@@ -506,6 +518,7 @@ typedef enum {
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@ -3137,7 +3131,7 @@ index 70f5f73f..191575a1 100644
sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -607,12 +620,22 @@ static struct {
@@ -587,12 +600,22 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -3159,8 +3153,8 @@ index 70f5f73f..191575a1 100644
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
@@ -1576,6 +1599,10 @@ process_server_config_line_depth(ServerO
intptr = &options->gss_authentication;
goto parse_flag;
@ -3171,7 +3165,7 @@ index 70f5f73f..191575a1 100644
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
@@ -1584,6 +1611,22 @@ process_server_config_line_depth(ServerO
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@ -3180,7 +3174,7 @@ index 70f5f73f..191575a1 100644
+ goto parse_flag;
+
+ case sGssKexAlgorithms:
+ arg = strdelim(&cp);
+ arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
@ -3194,7 +3188,7 @@ index 70f5f73f..191575a1 100644
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o)
@@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);

View File

@ -120,10 +120,12 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
# These all need to be compiled -fPIC, so they are treated differently.
SK_DUMMY_OBJS=\
regress/misc/sk-dummy/sk-dummy.lo \
@@ -709,6 +724,7 @@ regress-unit-binaries: regress-prep $(RE
@@ -711,7 +726,8 @@ regress-unit-binaries: regress-prep $(RE
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
regress/unittests/sshsig/test_sshsig$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT) \
- regress/unittests/utf8/test_utf8$(EXEEXT)
+ regress/unittests/utf8/test_utf8$(EXEEXT) \
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
tests: file-tests t-exec interop-tests unit
@ -1379,8 +1381,8 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
CK_RV rv;
CK_ULONG i;
- debug("pkcs11_provider_finalize: %p refcount %d valid %d",
- p, p->refcount, p->valid);
- debug_f("provider \"%s\" refcount %d valid %d",
- p->name, p->refcount, p->valid);
- if (!p->valid)
+ debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
+ if (!m->valid)
@ -1423,9 +1425,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
+}
+
+/*
+ * finalize a provider shared libarary, it's no longer usable.
+ * finalize a provider shared library, it's no longer usable.
+ * however, there might still be keys referencing this provider,
+ * so the actuall freeing of memory is handled by pkcs11_provider_unref().
+ * so the actual freeing of memory is handled by pkcs11_provider_unref().
+ * this is called when a provider gets unregistered.
+ */
+static void
@ -1442,15 +1444,12 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
}
/*
@@ -135,13 +178,11 @@ pkcs11_provider_finalize(struct pkcs11_p
static void
pkcs11_provider_unref(struct pkcs11_provider *p)
@@ -137,11 +180,9 @@ pkcs11_provider_unref(struct pkcs11_prov
{
- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
+ debug_f("%p refcount %d", p, p->refcount);
debug_f("provider \"%s\" refcount %d", p->name, p->refcount);
if (--p->refcount <= 0) {
- if (p->valid)
- error("pkcs11_provider_unref: %p still valid", p);
- error_f("provider \"%s\" still valid", p->name);
free(p->name);
- free(p->slotlist);
- free(p->slotinfo);
@ -2123,16 +2122,16 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
+ key_attr[nattr].ulValueLen = strlen(uri->object);
+ nattr++;
+ }
+
+ session = p->module->slotinfo[slotidx].session;
+ f = p->module->function_list;
- rv = f->C_FindObjectsInit(session, key_attr, 1);
+ session = p->module->slotinfo[slotidx].session;
+ f = p->module->function_list;
+
+ rv = f->C_FindObjectsInit(session, key_attr, nattr);
if (rv != CKR_OK) {
error("C_FindObjectsInit failed: %lu", rv);
goto fail;
@@ -1499,16 +1687,10 @@ pkcs11_ecdsa_generate_private_key(struct
@@ -1499,16 +1690,10 @@ pkcs11_ecdsa_generate_private_key(struct
}
#endif /* WITH_PKCS11_KEYGEN */
@ -2237,17 +2236,17 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
error("C_GetInfo for provider %s failed: %lu",
- provider_id, rv);
+ provider_module, rv);
goto fail;
}
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
+ goto fail;
+ }
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
+ if (uri->lib_manuf != NULL &&
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
+ debug_f("Skipping provider %s not matching library_manufacturer",
+ m->info.manufacturerID);
+ goto fail;
+ }
goto fail;
}
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
" libraryDescription <%s> libraryVersion %d.%d",

View File

@ -1,320 +0,0 @@
diff --git a/channels.c b/channels.c
index 32d1f617..0024f751 100644
--- a/channels.c
+++ b/channels.c
@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
#endif
/* enable nonblocking mode */
- if (nonblock) {
+ c->restore_block = 0;
+ if (nonblock == CHANNEL_NONBLOCK_STDIO) {
+ /*
+ * Special handling for stdio file descriptors: do not set
+ * non-blocking mode if they are TTYs. Otherwise prepare to
+ * restore their blocking state on exit to avoid interfering
+ * with other programs that follow.
+ */
+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_RFD;
+ set_nonblock(rfd);
+ }
+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_WFD;
+ set_nonblock(wfd);
+ }
+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_EFD;
+ set_nonblock(efd);
+ }
+ } else if (nonblock) {
if (rfd != -1)
set_nonblock(rfd);
if (wfd != -1)
@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *sc)
}
int
-channel_close_fd(struct ssh *ssh, int *fdp)
+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
{
struct ssh_channels *sc = ssh->chanctxt;
- int ret = 0, fd = *fdp;
+ int ret, fd = *fdp;
- if (fd != -1) {
- ret = close(fd);
- *fdp = -1;
- if (fd == sc->channel_max_fd)
- channel_find_maxfd(sc);
- }
+ if (fd == -1)
+ return 0;
+
+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
+
+ ret = close(fd);
+ *fdp = -1;
+ if (fd == sc->channel_max_fd)
+ channel_find_maxfd(sc);
return ret;
}
@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Channel *c)
{
int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
if (rfd != sock)
- channel_close_fd(ssh, &c->rfd);
+ channel_close_fd(ssh, c, &c->rfd);
if (wfd != sock && wfd != rfd)
- channel_close_fd(ssh, &c->wfd);
+ channel_close_fd(ssh, c, &c->wfd);
if (efd != sock && efd != rfd && efd != wfd)
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
}
static void
@@ -702,7 +728,7 @@ channel_stop_listening(struct ssh *ssh)
case SSH_CHANNEL_X11_LISTENER:
case SSH_CHANNEL_UNIX_LISTENER:
case SSH_CHANNEL_RUNIX_LISTENER:
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
channel_free(ssh, c);
break;
}
@@ -1491,7 +1517,8 @@ channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
Channel *
channel_connect_stdio_fwd(struct ssh *ssh,
- const char *host_to_connect, u_short port_to_connect, int in, int out)
+ const char *host_to_connect, u_short port_to_connect,
+ int in, int out, int nonblock)
{
Channel *c;
@@ -1499,7 +1526,7 @@ channel_connect_stdio_fwd(struct ssh *ssh,
c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
-1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "stdio-forward", /*nonblock*/0);
+ 0, "stdio-forward", nonblock);
c->path = xstrdup(host_to_connect);
c->host_port = port_to_connect;
@@ -1649,7 +1676,7 @@ channel_post_x11_listener(struct ssh *ssh, Channel *c,
if (c->single_connection) {
oerrno = errno;
debug2("single_connection: closing X11 listener.");
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
chan_mark_dead(ssh, c);
errno = oerrno;
}
@@ -2058,7 +2085,7 @@ channel_handle_efd_write(struct ssh *ssh, Channel *c,
return 1;
if (len <= 0) {
debug2("channel %d: closing write-efd %d", c->self, c->efd);
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
} else {
if ((r = sshbuf_consume(c->extended, len)) != 0)
fatal_fr(r, "channel %i: consume", c->self);
@@ -2087,7 +2114,7 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c,
return 1;
if (len <= 0) {
debug2("channel %d: closing read-efd %d", c->self, c->efd);
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
} else if (c->extended_usage == CHAN_EXTENDED_IGNORE)
debug3("channel %d: discard efd", c->self);
else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
diff --git a/channels.h b/channels.h
index 378d987c..6bf86b00 100644
--- a/channels.h
+++ b/channels.h
@@ -63,6 +63,16 @@
#define CHANNEL_CANCEL_PORT_STATIC -1
+/* nonblocking flags for channel_new */
+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */
+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */
+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */
+
+/* c->restore_block mask flags */
+#define CHANNEL_RESTORE_RFD 0x01
+#define CHANNEL_RESTORE_WFD 0x02
+#define CHANNEL_RESTORE_EFD 0x04
+
/* TCP forwarding */
#define FORWARD_DENY 0
#define FORWARD_REMOTE (1)
@@ -139,6 +149,7 @@ struct Channel {
* to a matching pre-select handler.
* this way post-select handlers are not
* accidentally called if a FD gets reused */
+ int restore_block; /* fd mask to restore blocking status */
struct sshbuf *input; /* data read from socket, to be sent over
* encrypted connection */
struct sshbuf *output; /* data received over encrypted connection for
@@ -266,7 +277,7 @@ void channel_register_filter(struct ssh *, int, channel_infilter_fn *,
void channel_register_status_confirm(struct ssh *, int,
channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
void channel_cancel_cleanup(struct ssh *, int);
-int channel_close_fd(struct ssh *, int *);
+int channel_close_fd(struct ssh *, Channel *, int *);
void channel_send_window_changes(struct ssh *);
/* mux proxy support */
@@ -313,7 +324,7 @@ Channel *channel_connect_to_port(struct ssh *, const char *, u_short,
char *, char *, int *, const char **);
Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
Channel *channel_connect_stdio_fwd(struct ssh *, const char*,
- u_short, int, int);
+ u_short, int, int, int);
Channel *channel_connect_by_listen_address(struct ssh *, const char *,
u_short, char *, char *);
Channel *channel_connect_by_listen_path(struct ssh *, const char *,
diff --git a/clientloop.c b/clientloop.c
index 219f0e90..bdd67686 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1405,14 +1405,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
if (have_pty)
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
- /* restore blocking io */
- if (!isatty(fileno(stdin)))
- unset_nonblock(fileno(stdin));
- if (!isatty(fileno(stdout)))
- unset_nonblock(fileno(stdout));
- if (!isatty(fileno(stderr)))
- unset_nonblock(fileno(stderr));
-
/*
* If there was no shell or command requested, there will be no remote
* exit status to be returned. In that case, clear error code if the
diff --git a/mux.c b/mux.c
index faf4ef1e..9454bfed 100644
--- a/mux.c
+++ b/mux.c
@@ -452,14 +452,6 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
error_f("tcgetattr: %s", strerror(errno));
- /* enable nonblocking unless tty */
- if (!isatty(new_fd[0]))
- set_nonblock(new_fd[0]);
- if (!isatty(new_fd[1]))
- set_nonblock(new_fd[1]);
- if (!isatty(new_fd[2]))
- set_nonblock(new_fd[2]);
-
window = CHAN_SES_WINDOW_DEFAULT;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (cctx->want_tty) {
@@ -469,7 +461,7 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
nc->ctl_chan = c->self; /* link session -> control channel */
c->remote_id = nc->self; /* link control -> session channel */
@@ -1025,13 +1017,8 @@ mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
}
}
- /* enable nonblocking unless tty */
- if (!isatty(new_fd[0]))
- set_nonblock(new_fd[0]);
- if (!isatty(new_fd[1]))
- set_nonblock(new_fd[1]);
-
- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
+ CHANNEL_NONBLOCK_STDIO);
free(chost);
nc->ctl_chan = c->self; /* link session -> control channel */
diff --git a/nchan.c b/nchan.c
index 4a4494b8..7ef3a350 100644
--- a/nchan.c
+++ b/nchan.c
@@ -384,7 +384,7 @@ chan_shutdown_write(struct ssh *ssh, Channel *c)
c->istate, c->ostate, strerror(errno));
}
} else {
- if (channel_close_fd(ssh, &c->wfd) < 0) {
+ if (channel_close_fd(ssh, c, &c->wfd) < 0) {
logit_f("channel %d: close() failed for "
"fd %d [i%d o%d]: %.100s", c->self, c->wfd,
c->istate, c->ostate, strerror(errno));
@@ -412,7 +412,7 @@ chan_shutdown_read(struct ssh *ssh, Channel *c)
c->istate, c->ostate, strerror(errno));
}
} else {
- if (channel_close_fd(ssh, &c->rfd) < 0) {
+ if (channel_close_fd(ssh, c, &c->rfd) < 0) {
logit_f("channel %d: close() failed for "
"fd %d [i%d o%d]: %.100s", c->self, c->rfd,
c->istate, c->ostate, strerror(errno));
@@ -431,7 +431,7 @@ chan_shutdown_extended_read(struct ssh *ssh, Channel *c)
debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])",
c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd,
channel_format_extended_usage(c));
- if (channel_close_fd(ssh, &c->efd) < 0) {
+ if (channel_close_fd(ssh, c, &c->efd) < 0) {
logit_f("channel %d: close() failed for "
"extended fd %d [i%d o%d]: %.100s", c->self, c->efd,
c->istate, c->ostate, strerror(errno));
diff --git a/ssh.c b/ssh.c
index 696dc3bc..6243db76 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1876,9 +1876,10 @@ ssh_init_stdio_forwarding(struct ssh *ssh)
if ((in = dup(STDIN_FILENO)) == -1 ||
(out = dup(STDOUT_FILENO)) == -1)
- fatal("channel_connect_stdio_fwd: dup() in/out failed");
+ fatal_f("dup() in/out failed");
if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
- options.stdio_forward_port, in, out)) == NULL)
+ options.stdio_forward_port, in, out,
+ CHANNEL_NONBLOCK_STDIO)) == NULL)
fatal_f("channel_connect_stdio_fwd failed");
channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
@@ -2074,14 +2075,6 @@ ssh_session2_open(struct ssh *ssh)
if (in == -1 || out == -1 || err == -1)
fatal("dup() in/out/err failed");
- /* enable nonblocking unless tty */
- if (!isatty(in))
- set_nonblock(in);
- if (!isatty(out))
- set_nonblock(out);
- if (!isatty(err))
- set_nonblock(err);
-
window = CHAN_SES_WINDOW_DEFAULT;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (tty_flag) {
@@ -2091,7 +2084,7 @@ ssh_session2_open(struct ssh *ssh)
c = channel_new(ssh,
"session", SSH_CHANNEL_OPENING, in, out, err,
window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
+ "client-session", CHANNEL_NONBLOCK_STDIO);
debug3_f("channel_new: %d", c->self);

View File

@ -1,57 +0,0 @@
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
@@ -34,7 +34,7 @@
#define SSH_BUG_UTF8TTYMODE 0x00000001
#define SSH_BUG_SIGTYPE 0x00000002
-/* #define unused 0x00000004 */
+#define SSH_BUG_SIGTYPE74 0x00000004
/* #define unused 0x00000008 */
#define SSH_OLD_SESSIONID 0x00000010
/* #define unused 0x00000020 */
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
@@ -65,11 +65,12 @@
{ "OpenSSH_6.5*,"
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
SSH_BUG_SIGTYPE},
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
+ SSH_BUG_SIGTYPE74},
{ "OpenSSH_7.0*,"
"OpenSSH_7.1*,"
"OpenSSH_7.2*,"
"OpenSSH_7.3*,"
- "OpenSSH_7.4*,"
"OpenSSH_7.5*,"
"OpenSSH_7.6*,"
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
@@ -1305,6 +1305,26 @@
break;
}
free(oallowed);
+ /*
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
+ * support. For that release, check the local policy against the
+ * SHA2 signature types.
+ */
+ if (alg == NULL &&
+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
+ while ((cp = strsep(&allowed, ",")) != NULL) {
+ if (sshkey_type_from_name(cp) != key->type)
+ continue;
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
+ if (tmp != NULL)
+ alg = xstrdup(cp);
+ free(tmp);
+ if (alg != NULL)
+ break;
+ }
+ free(oallowed);
+ }
return alg;
}

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmB5CwgACgkQKj9BTnNg
YLp01RAArXrAALtwTnWDysxBKTxGAUmXsPQOeaBCPd3zND3n0si6iinwwatSbu4d
eYj/EOlzXydJkgMImoq6ErZrP2LyApe9RQDHfn/zEr+k5iflOK4su59TK6Dwuy86
SPYsSNSBhABiVyH9HQelRyVLJfHwVU+DP/SaUemHGbeDLcczp5wh+mtXQPG7hMLi
yuZ1e9W4pO5HOXwoccS69amO0nhqpLb2qBYhenFjY4lZPmIf7UFkGsqIkYeAqHU4
/uhM0anxo7y+ezc2YD6eZHLrOZcRj1eYxh9IHGZnDcW2+6twks4aVK1kU+HI7xqt
m9bhB+RTVKit0hvNjyhZP3XrDksgCQyyiWuXOe323ane42noH1NP6W075lmnC11Q
JGueXJ+/vGPq3aYiad2mSZoHS82VfK43cCwXY9psCmZOMuWgARy/rxOWUZa3FBV7
bIS59Mr4hzjyODXArXc+z98Q3Y0qV8jT7xDHCfmsmivBjNcEWH2fX4KvyPHNogJP
C+4bA4WbOy9X6s3mKfQFgeLKA4MbeIhGTNFKl3Utyt7bl8dBzPU4nzBx5754e6Q2
2vRuLsTfAAGWTNwu+XfS5wvhjPMLkXBH4IUxY8acUTxLYY4uPnPFS2ZqCC94Ysrr
Af4DzNuqm8lkiglggwRwRLopVCuAHfScyqETdTOA1kLsILWdn8Q=
=Jsrn
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,46 @@
diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200
+++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200
@@ -42,6 +42,7 @@
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
#define _PATH_DH_MODULI SSHDIR "/moduli"
+#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp"
#ifndef _PATH_SSH_PROGRAM
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200
+++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200
@@ -278,6 +278,13 @@ to print debugging messages about their
This is helpful in
debugging connection, authentication, and configuration problems.
.El
+.Pp
+Usage of SCP protocol can be blocked by creating a world-readable
+.Ar /etc/ssh/disable_scp
+file. If this file exists, when SCP protocol is in use (either remotely or
+via the
+.Fl O
+option), the program will exit.
.Sh EXIT STATUS
.Ex -std scp
.Sh SEE ALSO
diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200
+++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200
@@ -596,6 +596,14 @@ main(int argc, char **argv)
if (iamremote)
mode = MODE_SCP;
+ if (mode == MODE_SCP) {
+ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
+ if (f != NULL) {
+ fclose(f);
+ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
+ }
+ }
+
if ((pwd = getpwuid(userid = getuid())) == NULL)
fatal("unknown user %u", (u_int) userid);

View File

@ -0,0 +1,129 @@
diff --git a/scp.1 b/scp.1
index 68aac04b..a96e95ad 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
.\"
-.Dd $Mdocdate: August 11 2021 $
+.Dd $Mdocdate: September 8 2021 $
.Dt SCP 1
.Os
.Sh NAME
@@ -18,7 +18,7 @@
.Nd OpenSSH secure file copy
.Sh SYNOPSIS
.Nm scp
-.Op Fl 346ABCOpqRrsTv
+.Op Fl 346ABCOpqRrTv
.Op Fl c Ar cipher
.Op Fl D Ar sftp_server_path
.Op Fl F Ar ssh_config
@@ -37,9 +37,6 @@ It uses
.Xr ssh 1
for data transfer, and uses the same authentication and provides the
same security as a login session.
-The scp protocol requires execution of the remote user's shell to perform
-.Xr glob 3
-pattern matching.
.Pp
.Nm
will ask for passwords or passphrases if they are needed for
@@ -79,7 +76,9 @@ The options are as follows:
Copies between two remote hosts are transferred through the local host.
Without this option the data is copied directly between the two remote
hosts.
-Note that, when using the legacy SCP protocol (the default), this option
+Note that, when using the legacy SCP protocol (via the
+.Fl O
+flag), this option
selects batch mode for the second host as
.Nm
cannot ask for passwords or passphrases for both hosts.
@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
.It Fl O
Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
Forcing the use of the SCP protocol may be necessary for servers that do
-not implement SFTP or for backwards-compatibility for particular filename
-wildcard patterns.
-This mode is the default.
+not implement SFTP, for backwards-compatibility for particular filename
+wildcard patterns and for expanding paths with a
+.Sq ~
+prefix for older SFTP servers.
.It Fl o Ar ssh_option
Can be used to pass options to
.Nm ssh
@@ -258,16 +258,6 @@ to use for the encrypted connection.
The program must understand
.Xr ssh 1
options.
-.It Fl s
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
-Using SFTP avoids invoking a shell on the remote side and provides
-more predictable filename handling, as the SCP protocol
-relied on the remote shell for expanding
-.Xr glob 3
-wildcards.
-.Pp
-A near-future release of OpenSSH will make the SFTP protocol the default.
-This option will be deleted before the end of 2022.
.It Fl T
Disable strict filename checking.
By default when copying files from a remote host to a local directory
@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems.
.Xr ssh_config 5 ,
.Xr sftp-server 8 ,
.Xr sshd 8
+.Sh CAVEATS
+The original scp protocol (selected by the
+.Fl O
+flag) requires execution of the remote user's shell to perform
+.Xr glob 3
+pattern matching.
+This requires careful quoting of any characters that have special meaning to
+the remote shell, such as quote characters.
.Sh HISTORY
.Nm
is based on the rcp program in
.Bx
source code from the Regents of the University of California.
+.Pp
+Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
+.Nm
+has use the SFTP protocol for transfers by default.
.Sh AUTHORS
.An Timo Rinne Aq Mt tri@iki.fi
.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
diff --git a/scp.c b/scp.c
index e039350c..c7cf7529 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -448,7 +448,7 @@ main(int argc, char **argv)
const char *errstr;
extern char *optarg;
extern int optind;
- enum scp_mode_e mode = MODE_SCP;
+ enum scp_mode_e mode = MODE_SFTP;